Chinese spies used NSA hacking tools to target U.S. allies: Reports

Chinese hackers acquired cyber weapons used by the U.S. National Security Agency and repurposed them to attack American allies, reports said Monday.

Researchers at Symantec, a U.S. cybersecurity firm, reported that hacking tools previously linked to the NSA were utilized in attacks waged by a group the company calls “Buckeye.”

Citing a classified NSA memo, The New York Times reported that Buckeye, also known as “Gothic Panda,” is a Chinese hacking group contracted by the Ministry of State Security.

The hackers leveraged two tools, called Eternal Synergy and Double Pulsar, to use in cyberattacks conducted against targets in Belgium, Luxembourg, Vietnam, the Philippines and Hong Kong, including scientific research organizations, educational institutions and at least one U.S. government ally, the reports said.

The attacks started in March 2016, months prior to both hacking tools being leaked online by a mysterious entity calling itself “Shadow Brokers.”

While both tools were widely weaponized by hackers after being shared by Shadow Brokers, Symantec’s research indicates the NSA lost control of at least some of its arsenal months earlier than that.

Eric Chien, a security director at Symantec, suggested Buckeye hackers might have acquired the tools as the result of being on the receiving end of a similar attack.

“This is the first time we’ve seen a case that people have long referenced in theory of a group recovering unknown vulnerabilities and exploits used against them, and then using these exploits to attack others,” Mr. Chien told The Times.

“We’ve learned that you cannot guarantee your tools will not get leaked and used against you and your allies,” Mr. Chien added.

The NSA did not immediately return a request for comment.

Shadow Brokers began leaking hacking tools in August 2016, and the codes for both Eternal Synergy and Double Pulsar codes were released in April 2017.

Hackers subsequently harnessed the leaked tools to create new malware, including the WannaCry and NotPetya strains responsible for infections computer around the world in the weeks afterward.

The U.S. has blamed WannaCry and NotPetya on North Korea and Russian hackers, respectively. Moscow and Pyongyang have denied involvement.